Update to 8u452-b09 (GA)

- Update release notes for 8u452-b09. - Remove long option documentation from JDK-8335912/JDK-8337499 as not present in 8u - Require tzdata 2025a due to upstream inclusion of JDK-8347965 ** This tarball is embargoed until 2025-04-15 @ 1pm PT. ** Resolves: RHEL-86967 Resolves: RHEL-86620
2025-02-05 00:13:55 +00:00 · 2025-02-05 00:13:55 +00:00 · 666ddcc147
commit 666ddcc147
parent 05751538a6
4 changed files with 298 additions and 13 deletions
--- a/.gitignore
+++ b/.gitignore
@ -303,3 +303,137 @@
 /shenandoah8u442-b01.tar.xz
 /shenandoah8u442-b05.tar.xz
 /shenandoah8u442-b06.tar.xz
+/openjdk8u272-ga.tar.xz
+/openjdk8u275-ga.tar.xz
+/openjdk8u282-b01-ea.tar.xz
+/openjdk8u282-b02-ea.tar.xz
+/openjdk8u282-b03-ea.tar.xz
+/openjdk8u282-b04-ea.tar.xz
+/openjdk8u282-b05-ea.tar.xz
+/openjdk8u282-b06-ea.tar.xz
+/openjdk8u282-b07-ea.tar.xz
+/openjdk8u282-ga.tar.xz
+/openjdk8u282-b08-ea.tar.xz
+/openjdk8u292-b01-ea.tar.xz
+/openjdk8u292-b02-ea.tar.xz
+/openjdk8u292-b03-ea.tar.xz
+/openjdk8u292-b04-ea.tar.xz
+/openjdk8u292-b05-ea.tar.xz
+/openjdk8u292-b06-ea.tar.xz
+/openjdk8u292-b07-ea.tar.xz
+/openjdk8u292-b08-ea.tar.xz
+/openjdk8u292-b09-ea.tar.xz
+/openjdk8u292-b10-ea.tar.xz
+/openjdk8u292-ga.tar.xz
+/openjdk8u302-b01-ea.tar.xz
+/openjdk8u302-b02-ea.tar.xz
+/openjdk8u302-b03-ea.tar.xz
+/openjdk8u302-b04-ea.tar.xz
+/openjdk8u302-b05-ea.tar.xz
+/openjdk8u302-b06-ea.tar.xz
+/openjdk8u302-b07-ea.tar.xz
+/openjdk8u302-ga.tar.xz
+/openjdk8u312-b01-ea.tar.xz
+/openjdk8u312-b02-ea.tar.xz
+/openjdk8u312-b03-ea.tar.xz
+/openjdk8u312-b04-ea.tar.xz
+/openjdk8u312-b05-ea.tar.xz
+/openjdk8u312-b06-ea.tar.xz
+/openjdk8u312-ga.tar.xz
+/openjdk8u322-b01-ea.tar.xz
+/openjdk8u322-b02-ea.tar.xz
+/openjdk8u322-b03-ea.tar.xz
+/openjdk8u322-b04-ea.tar.xz
+/openjdk8u322-b05-ea.tar.xz
+/openjdk8u322-ga.tar.xz
+/openjdk8u332-b01-ea.tar.xz
+/openjdk8u332-b02-ea.tar.xz
+/openjdk8u332-b03-ea.tar.xz
+/openjdk8u332-b04-ea.tar.xz
+/openjdk8u332-b05-ea.tar.xz
+/openjdk8u332-b06-ea.tar.xz
+/openjdk8u332-b09.tar.xz
+/openjdk8u342-b01-ea.tar.xz
+/openjdk8u342-b02-ea.tar.xz
+/openjdk8u342-b03-ea.tar.xz
+/openjdk8u342-b04-ea.tar.xz
+/openjdk8u342-b05-ea.tar.xz
+/openjdk8u342-b06-ea.tar.xz
+/openjdk8u342-b07.tar.xz
+/openjdk8u345-b01.tar.xz
+/openjdk8u352-b01-ea.tar.xz
+/openjdk8u352-b02-ea.tar.xz
+/openjdk8u352-b03-ea.tar.xz
+/openjdk8u352-b04-ea.tar.xz
+/openjdk8u352-b05-ea.tar.xz
+/openjdk8u352-b06-ea.tar.xz
+/openjdk8u352-b07-ea.tar.xz
+/openjdk8u352-b08.tar.xz
+/openjdk8u362-b01-ea.tar.xz
+/openjdk8u362-b02-ea.tar.xz
+/openjdk8u362-b03-ea.tar.xz
+/openjdk8u362-b04-ea.tar.xz
+/openjdk8u362-b05-ea.tar.xz
+/openjdk8u362-b06-ea.tar.xz
+/openjdk8u362-b07-ea.tar.xz
+/openjdk8u362-b08.tar.xz
+/openjdk8u362-b09.tar.xz
+/openjdk8u372-b01-ea.tar.xz
+/openjdk8u372-b02-ea.tar.xz
+/openjdk8u372-b03-ea.tar.xz
+/openjdk8u372-b04-ea.tar.xz
+/openjdk8u372-b05-ea.tar.xz
+/openjdk8u372-b06-ea.tar.xz
+/openjdk8u372-b07.tar.xz
+/openjdk8u382-b01-ea.tar.xz
+/openjdk8u382-b02-ea.tar.xz
+/openjdk8u382-b03-ea.tar.xz
+/openjdk8u382-b04-ea.tar.xz
+/openjdk8u382-b05.tar.xz
+/openjdk8u392-b01-ea.tar.xz
+/openjdk8u392-b02-ea.tar.xz
+/openjdk8u392-b04-ea.tar.xz
+/openjdk8u392-b05-ea.tar.xz
+/openjdk8u392-b06-ea.tar.xz
+/openjdk8u392-b07-ea.tar.xz
+/openjdk8u392-b08.tar.xz
+/openjdk8u402-b01-ea.tar.xz
+/openjdk8u402-b02-ea.tar.xz
+/openjdk8u402-b03-ea.tar.xz
+/openjdk8u402-b04-ea.tar.xz
+/openjdk8u402-b05-ea.tar.xz
+/openjdk8u402-b06.tar.xz
+/openjdk8u412-b01-ea.tar.xz
+/openjdk8u412-b02-ea.tar.xz
+/openjdk8u412-b03-ea.tar.xz
+/openjdk8u412-b04-ea.tar.xz
+/openjdk8u412-b05-ea.tar.xz
+/openjdk8u412-b06-ea.tar.xz
+/openjdk8u412-b07-ea.tar.xz
+/openjdk8u412-b08.tar.xz
+/openjdk8u422-b01-ea.tar.xz
+/openjdk8u422-b02-ea.tar.xz
+/openjdk8u422-b03-ea.tar.xz
+/openjdk8u422-b04-ea.tar.xz
+/openjdk8u422-b05.tar.xz
+/openjdk8u432-b01-ea.tar.xz
+/openjdk8u432-b02-ea.tar.xz
+/openjdk8u432-b03-ea.tar.xz
+/openjdk8u432-b04-ea.tar.xz
+/openjdk8u432-b05-ea.tar.xz
+/openjdk8u432-b06.tar.xz
+/openjdk8u442-b01-ea.tar.xz
+/openjdk8u442-b02-ea.tar.xz
+/openjdk8u442-b03-ea.tar.xz
+/openjdk8u442-b04-ea.tar.xz
+/openjdk8u442-b05-ea.tar.xz
+/openjdk8u442-b06.tar.xz
+/openjdk8u452-b01-ea.tar.xz
+/openjdk8u452-b03-ea.tar.xz
+/openjdk8u452-b04-ea.tar.xz
+/openjdk8u452-b05-ea.tar.xz
+/openjdk8u452-b06-ea.tar.xz
+/openjdk8u452-b07-ea.tar.xz
+/openjdk8u452-b08.tar.xz
+/openjdk8u452-b09.tar.xz
+/shenandoah8u452-b09.tar.xz
--- a/154
+++ b/154
@ -3,6 +3,151 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY

+New in release OpenJDK 8u452 (2025-04-15):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bit.ly/openjdk8u452
+
+* CVEs
+  - CVE-2025-21587
+  - CVE-2025-30691
+  - CVE-2025-30698
+* Changes
+  - JDK-8037013: [TESTBUG] Fix test/java/lang/ClassLoader/Assert.sh on AIX
+  - JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo
+  - JDK-8068305: [TEST_BUG] Test java/awt/Mixing/HWDisappear.java fails with GTKL&F
+  - JDK-8212096: javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch
+  - JDK-8227651: Tests fail with SSLProtocolException: Input record too big
+  - JDK-8240235: jdk.test.lib.util.JarUtils updates jar files incorrectly
+  - JDK-8244966: Add .vscode to .hgignore and .gitignore
+  - JDK-8250825: C2 crashes with assert(field != __null) failed: missing field
+  - JDK-8255466: C2 crashes at ciObject::get_oop() const+0x0
+  - JDK-8261020: Wrong format parameter in create_emergency_chunk_path
+  - JDK-8265019: Update tests for additional TestNG test permissions
+  - JDK-8266881: Enable debug log for SSLEngineExplorerMatchedSNI.java
+  - JDK-8268457: XML Transformer outputs Unicode supplementary character incorrectly to HTML
+  - JDK-8285756: clean up use of bad arguments for `@clean` in langtools tests
+  - JDK-8309841: Jarsigner should print a warning if an entry is removed
+  - JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java java.lang.Exception: Could not find leak
+  - JDK-8326110: [8u] The Marlin tests should be updated after JDK-8241307
+  - JDK-8337494: Clarify JarInputStream behavior
+  - JDK-8337692: Better TLS connection support
+  - JDK-8338430: Improve compiler transformations
+  - JDK-8339560: Unaddressed comments during code review of JDK-8337664
+  - JDK-8339637: (tz) Update Timezone Data to 2024b
+  - JDK-8339644: Improve parsing of Day/Month in tzdata rules
+  - JDK-8339810: Clean up the code in sun.tools.jar.Main to properly close resources and use ZipFile during extract
+  - JDK-8340552: Harden TzdbZoneRulesCompiler against missing zone names
+  - JDK-8340660: [8u] Test com/sun/jdi/PrivateTransportTest.sh fails on MacOS
+  - JDK-8342562: Enhance Deflater operations
+  - JDK-8343007: Enhance Buffered Image handling
+  - JDK-8345504: Bump update version of OpenJDK: 8u452
+  - JDK-8346140: [8u] tools/jar/ExtractFilesTest.java and tools/jar/MultipleManifestTest.java fails with jtreg5.1
+  - JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
+  - JDK-8347847: Enhance jar file support
+  - JDK-8347965: (tz) Update Timezone Data to 2025a
+  - JDK-8348211: [8u] sun/management/jmxremote/startstop/JMXStartStopTest.java fails after backport of JDK-8066708
+  - JDK-8349166: Bad indentation in backport of JDK-8250825
+  - JDK-8350816: [8u] Update TzdbZoneRulesCompiler to ignore HST/EST/MST links
+  - JDK-8352097: (tz) zone.tab update missed in 2025a backport
+  - JDK-8353433: XCG currency code not recognized in JDK 8u
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8309841: Jarsigner should print a warning if an entry is removed
+====================================================================
+In previous OpenJDK releases, the jarsigner tool did not detect the
+case where a file was removed from a signed JAR file but its signature
+was still present. With this release, `jarsigner -verify` checks that
+every signature has a matching file entry and prints a warning if this
+is not the case. The `-verbose` option can also be added to the
+command to see the names of the mismatched entries.
+
+security-libs/javax.net.ssl:
+
+JDK-8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs
+=============================================================================
+In accordance with similar plans recently announced by Google,
+Mozilla, Apple and Microsoft, the JDK will not trust Transport Layer
+Security (TLS) certificates issued after the 15th of April 2025 which
+are anchored by Camerfirma root certificates.
+
+Certificates issued on or before April 15th, 2025 will continue to
+be trusted until they expire.
+
+If a server's certificate chain is anchored by an affected
+certificate, attempts to negotiate a TLS session will fail with an
+Exception that indicates the trust anchor is not trusted. For example,
+
+"TLS server certificate issued after 2025-04-15 and anchored by a
+distrusted legacy Camerfirma root CA: CN=Chambers of Commerce Root -
+2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see
+current address at www.camerfirma.com/address), C=EU"
+
+To check whether a certificate in a JDK keystore is affected by this
+change, you can the `keytool` utility:
+
+keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
+
+If any of the certificates in the chain are affected by this change,
+then you will need to update the certificate or contact the
+organisation responsible for managing the certificate.
+
+These restrictions apply to the following Camerfirma root certificates
+included in the JDK:
+
+Alias name: camerfirmachamberscommerceca [jdk]
+CN=Chambers of Commerce Root
+OU=http://www.chambersign.org
+O=AC Camerfirma SA CIF A82743287
+C=EU
+SHA256: 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3
+
+Alias name: camerfirmachambersca [jdk]
+CN=Chambers of Commerce Root - 2008
+O=AC Camerfirma S.A.
+SERIALNUMBER=A82743287
+L=Madrid (see current address at www.camerfirma.com/address)
+C=EU
+SHA256: 06:3E:4A:FA:C4:91:DF:D3:32:F3:08:9B:85:42:E9:46:17:D8:93:D7:FE:94:4E:10:A7:93:7E:E2:9D:96:93:C0
+
+Alias name: camerfirmachambersignca [jdk]
+CN=Global Chambersign Root - 2008
+O=AC Camerfirma S.A.
+SERIALNUMBER=A82743287
+L=Madrid (see current address at www.camerfirma.com/address)
+C=EU
+SHA256: 13:63:35:43:93:34:A7:69:80:16:A0:D3:24:DE:72:28:4E:07:9D:7B:52:20:BB:8F:BD:74:78:16:EE:BE:BA:CA
+
+Users can, *at their own risk*, remove this restriction by modifying
+the `java.security` configuration file (or override it by using the
+`java.security.properties` system property) so "CAMERFIRMA_TLS" is no
+longer listed in the `jdk.security.caDistrustPolicies` security
+property.
+
+core-libs/java.time:
+
+JDK-8339637: (tz) Update Timezone Data to 2024b
+===============================================
+This OpenJDK release upgrades the in-tree copy of the IANA timezone
+database to 2024b.  This timezone update is primarily concerned with
+improving historical data for Mexico, Monogolia and Portugal. It also
+makes Asia/Choibalsan an alias for Asia/Ulaanbaatar and makes the MET
+timezone the same as CET.
+
+The 2024b update also makes a number of legacy timezone IDs equal to
+geographical names rather than fixed offsets, as follows:
+
+* EST => America/Panama instead of -5:00
+* MST => America/Phoenix instead of -7:00
+* HST => Pacific/Honolulu instead of -10:00
+
+For long term support releases of OpenJDK, this change is overridden
+locally to retain the existing fixed offset mapping.
+
 New in release OpenJDK 8u442 (2025-01-21):
 ===========================================
 Live versions of these release notes can be found at:
@ -39,15 +184,12 @@ JDK-8335912/JDK-8337499: Add an operation mode to the jar command when extractin
 ===================================================================================================================
 In previous OpenJDK releases, when the jar tool extracted files from
 an archive, it would overwrite any existing files with the same name
-in the target directory. With this release, a new option ('-k' or
-'--keep-old-files') may be specified so that existing files are not
-overwritten.
+in the target directory. With this release, a new option ('-k') may be
+specified so that existing files are not overwritten.

-The option may be specified in short or long option form, as in the
-following examples:
+The option may be specified as in the following example:

 * jar xkf foo.jar
-* jar --extract --keep-old-files --file foo.jar

 By default, the old behaviour remains in place and files will be
 overwritten.
--- a/java-1.8.0-openjdk.spec
+++ b/java-1.8.0-openjdk.spec
@ -312,7 +312,7 @@
 # Define version of OpenJDK 8 used
 %global project openjdk
 %global repo shenandoah-jdk8u
-%global openjdk_revision 8u442-b06
+%global openjdk_revision 8u452-b09
 %global shenandoah_revision shenandoah%{openjdk_revision}
 # Define IcedTea version used for SystemTap tapsets and desktop files
 %global icedteaver      3.15.0
@ -359,7 +359,7 @@
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
 # rpmrelease numbering must start at 2 to be later than the 9.0 RPM
-%global rpmrelease      3
+%global rpmrelease      2
 # Settings used by the portable build
 %global portablerelease 1
 # Portable suffix differs between RHEL and CentOS
@ -1279,8 +1279,8 @@ Provides: jre%{?1} = %{epoch}:%{version}-%{release}
 Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
-# 2024a required as of JDK-8325150
-Requires: tzdata-java >= 2024a
+# 2025a required as of JDK-8347965
+Requires: tzdata-java >= 2025a
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@ -1700,8 +1700,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
 BuildRequires: libffi
 BuildRequires: libffi-devel
 %endif
-# 2024a required as of JDK-8325150
-BuildRequires: tzdata-java >= 2024a
+# 2025a required as of JDK-8347965
+BuildRequires: tzdata-java >= 2025a
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8

@ -2966,6 +2966,15 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Fri Apr 11 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.452.b09-2
+- Update to 8u452-b09 (GA)
+- Update release notes for 8u452-b09.
+- Remove long option documentation from JDK-8335912/JDK-8337499 as not present in 8u
+- Require tzdata 2025a due to upstream inclusion of JDK-8347965
+- ** This tarball is embargoed until 2025-04-15 @ 1pm PT. **
+- Resolves: RHEL-86967
+- Resolves: RHEL-86620
+
 * Fri Jan 17 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.442.b06-3
 - Bump rpmrelease for CentOS build
 - Related: RHEL-73554
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
-SHA512 (shenandoah8u442-b06.tar.xz) = 8980111d5dd4d37ae41d0dac9d48d5829dba845dc2986f0660a12c17ae2bf1f7f405bab8db9b7637073b837d8e25b5530f039adfbb2f597864b791a6ba565c4d
+SHA512 (shenandoah8u452-b09.tar.xz) = 1f2b77693069828e06459fd0093722a48b02db9a8622956cceaaabc09da8868c522fa434555c217db4a634bbe2ec9e1daefe9905f13411ec177a5d803cfc6f0a